PowerShell Logo Small

New-NetIPsecPhase1AuthSet



This is the built-in help made by Microsoft for the command 'New-NetIPsecPhase1AuthSet', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a phase 1 authentication set that specifies the methods offered for main mode first authentication during IPsec negotiations.

SYNTAX


New-NetIPsecPhase1AuthSet [-AsJob] [-CimSession <CimSession[]>] [-Default] [-Description <String>] [-GPOSession <String>] [-Group <String>] [-Name <String>] [-PolicyStore
<String>] [-ThrottleLimit <Int32>] -DisplayName <String> -Proposal <CimInstance[]> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecPhase1AuthSet cmdlet creates a set of authentication methods to use during IPsec negotiations. The first phase of authentication is typically a computer
authentication method such as Kerberos v5, certificate, or pre-shared key authentication.


A phase 1 authentication set contains an ordered list of computer authentication proposals. A proposal is created by running the New-NetIPsecAuthProposal cmdlet. During the
main mode negotiation, the first proposal that both peers have in common will be used for mutual authentication. A NetIPsecPhase1AuthSet object and a
NetIPsecMainModeCryptoSet object provide all of the necessary security association (SA) parameters for a NetIPsecMainModeRule object. Use the Get-NetIPsecMainModeSA cmdlet
to monitor the SAs that are created.


The newly created authentication set can be associated with one or more IPsec rules using the Set-NetIPsecRule cmdlet or the Set-NetIPsecMainModeRule cmdlet.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=288044
Get-NetIPsecMainModeCryptoSet
Get-NetIPsecMainModeSA
New-NetIPsecMainModeCryptoSet
New-NetIPsecPhase2AuthSet
New-NetIPSecRule
Rename-NetIPsecMainModeCryptoSet
Open-NetGPO
Save-NetGPO
Set-NetIPsecMainModeCryptoSet
Set-NetIPsecMainModeRule
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-NetIPsecMainModeCryptoProposal
New-GPO

REMARKS

<

Examples


EXAMPLE 1

PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root



PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN=\'My Organizations Root Certificate\'" -AuthorityType Root



PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal



PS C:\>New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet $certAuthSet.Name



This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication
for outbound connections, but allows an outbound connection if authentication is not successful.




EXAMPLE 2

PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos



PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM



PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Computer Auth" -Proposal $mkerbauthprop,$mntlmauthprop



PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos



PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM



PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous



PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop



PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthSet
$p2Auth.Name



This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.




EXAMPLE 3

PS C:\>$proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1)



PS C:\>$proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14)



PS C:\>$proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19)



PS C:\>$mmCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3



PS C:\>New-NetIPsecMainModeRule -DisplayName "Custom Main Mode Rule" -MainModeCryptoSet $mmCryptoSet.Name



This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.




EXAMPLE 4

PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root



PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root



PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$Cert2Proposal



PS C:\>New-NetIPsecMainModeRule -DisplayName "Main Mode Authenticate with Certificates Rule" –Phase1AuthSet $certAuthSet.Name



This example creates a main mode rule that requires that incoming connections are authenticated by using either of two computer certificates.




EXAMPLE 5

PS C:\>$proposal1 = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=Microsoft Root Authority" -AuthorityType Root



PS C:\>$poAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $proposal1



PS C:\>$proposal2 = New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1



PS C:\>$mmCryptoSet = New-NetIPsecMainModeCryptoSet –DisplayName "dhgroup2:3des-sha256,3des-sha384" –Proposal $proposal2



PS C:\>New-NetIPsecMainModeRule -DisplayName "Alternate Main Mode Rule" –LocalAddress Any –RemoteAddress 192.168.0.5 –Phase1AuthSet $poAuthSet.Name –MainModeCryptoSet
$mmCryptoSet.Name



This example creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the server at address 192.168.0.5
only.